MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74be37c9cc06be4a62c38f603993fe241697e4c5d20346f7c25474edd11a608a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74be37c9cc06be4a62c38f603993fe241697e4c5d20346f7c25474edd11a608a
SHA3-384 hash: 73d18e9167731d943a838f0ff73dc68fc2e60552448344efb52fe832c9026d2e408509037d1d88ef12f2bcdb28ade7d2
SHA1 hash: 26ccc9b7e38c87778dec4352e2799e7d6b6ebe25
MD5 hash: 1a24c23b652a75c0513eb5dd4919539a
humanhash: artist-emma-saturn-cup
File name:Doc_46563833838475633838384748338347563738383745657383227456383836473836473837474.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'140'736 bytes
First seen:2025-02-04 13:07:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:ig7VB1GvDu67tD2InBlSMnrFq/o4wgUBiGrQOJikONZoIpLoW:jpzWDuI0wSMnrF6o4wDBiGNJikOjFoW
Threatray 23 similar samples on MalwareBazaar
TLSH T1FA35E0C03B256702DD3A97B14124DDB413B72E69B021F2DA1DC937DB76A6B024E29F63
TrID 56.5% (.EXE) Win64 Executable (generic) (10522/11/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter TeamDreier
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
472
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Doc_46563833838475633838384748338347563738383745657383227456383836473836473837474.exe
Verdict:
Suspicious activity
Analysis date:
2025-02-04 13:07:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9d1522af-dcdb-45ed-ae80-c8cc5d023eae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a212052dcee78dd8195004
Tags:
virus shell msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Searching for synchronization primitives
Creating a file
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67a2113e48470778009dcee6/reports/8e1f1ec2-e864-4b47-b36e-513c0535cdd5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/74be37c9cc06be4a62c38f603993fe241697e4c5d20346f7c25474edd11a608a
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d05e8c37-7592-4df6-b544-0a9ecc98e5bc
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1606480
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1606480 Sample: Doc_46563833838475633838384... Startdate: 04/02/2025 Architecture: WINDOWS Score: 100 49 107.173.4.16 AS-COLOCROSSINGUS United States 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 8 other signatures 2->57 8 Doc_46563833838475633838384748338347563738383745657383227456383836473836473837474.exe 7 2->8         started        12 PBljgQXPJ.exe 5 2->12         started        signatures3 process4 file5 41 C:\Users\user\AppData\Roaming\PBljgQXPJ.exe, PE32+ 8->41 dropped 43 C:\Users\...\PBljgQXPJ.exe:Zone.Identifier, ASCII 8->43 dropped 45 C:\Users\user\AppData\Local\...\tmpE273.tmp, XML 8->45 dropped 47 Doc_46563833838475...36473837474.exe.log, CSV 8->47 dropped 59 Uses schtasks.exe or at.exe to add and modify task schedules 8->59 61 Writes to foreign memory regions 8->61 63 Modifies the context of a thread in another process (thread injection) 8->63 65 Adds a directory exclusion to Windows Defender 8->65 14 powershell.exe 23 8->14         started        17 powershell.exe 23 8->17         started        19 schtasks.exe 1 8->19         started        21 vbc.exe 8->21         started        67 Multi AV Scanner detection for dropped file 12->67 23 schtasks.exe 1 12->23         started        25 vbc.exe 12->25         started        signatures6 process7 signatures8 69 Loading BitLocker PowerShell Module 14->69 27 conhost.exe 14->27         started        29 WmiPrvSE.exe 14->29         started        31 conhost.exe 17->31         started        33 conhost.exe 19->33         started        35 WerFault.exe 2 21->35         started        37 conhost.exe 23->37         started        39 WerFault.exe 25->39         started        process9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/74be37c9cc06be4a62c38f603993fe241697e4c5d20346f7c25474edd11a608a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74be37c9cc06be4a62c38f603993fe241697e4c5d20346f7c25474edd11a608a/
Threat name:
Win64.Trojan.Sonbokli
Create hunting rule
Status:
Malicious
First seen:
2025-02-04 11:12:54 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
24
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=os7dpsoma27euywdr5qdte76eqljpzgf2ibun56ckr2o3ui2mcfa._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
Similar samples:
10fd2d2e6c357bcffff543914c648b64fc672861551b5b098ed84a6db04126a3
RemcosRAT
4099174fa448965adfe0f3bfc32014bfc4ec0ca5e20e754d64c683c05a9a912b
RemcosRAT
6be92b0d491f6d5d7f65e01a3336aac1155f091ad6def08b541e07b68eda3bb4
RemcosRAT
74be37c9cc06be4a62c38f603993fe241697e4c5d20346f7c25474edd11a608a
RemcosRAT
a87e9736d9566c024b1c9c63d8e742fa4c91cebd0a7de06c065d4412cfbed83d
RemcosRAT
cce6d7fc922f75d8a904e74b48dfbac2ecf4e332792522985422902d34100bd1
RemcosRAT
error
RemcosRAT
+ 13 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250204-qc85dswrax/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Uses the VBS compiler for execution
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/26e84b98-9419-4b14-8a13-ab315e37d156
Unpacked files
SH256 hash:
74be37c9cc06be4a62c38f603993fe241697e4c5d20346f7c25474edd11a608a
MD5 hash:
1a24c23b652a75c0513eb5dd4919539a
SHA1 hash:
26ccc9b7e38c87778dec4352e2799e7d6b6ebe25
Link:
https://www.unpac.me/results/649124d4-e6d0-4cd9-9a36-a8ef29c2d65a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/74be37c9cc06/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/74be37c9cc06be4a62c38f603993fe241697e4c5d20346f7c25474edd11a608a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 74be37c9cc06be4a62c38f603993fe241697e4c5d20346f7c25474edd11a608a

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments